jasperjiaguo commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r738896052
##########
File path:
pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
@InterfaceStability.Stable
public interface AccessControl {
+ /**
+ *
+ * @param channelHandlerContext netty tls context
+ * @return Whether the client has access to query server
+ */
+ boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+
Review comment:
Right, server and broker will authenticate each other's cert during SSL
handshake. But we don't want to authorize hosts other than pinot-broker to
query pinot-server, even if they hold valid certificates signed by the trusted
CA. We already have similar behavior in pinot broker where the requester's
certificate and token will be examined in AccessControl.
Here the examination will incur minimum overhead since it's one-off at
channel establishing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
